Pinned topicChanging security realm of admin console

‏2007-10-11T13:17:29Z
|Tags:

Answered question
This question has been answered.

Unanswered question
This question has not been answered yet.

Hi,

is there a way to change the security realm of the admin console? I have my own written security realm which works fine for self deployed applications.
Now I wanted to change the security realm of the admin console, but I have not found a geronimo-web.xml that belongs to the admin console.

Re: Changing security realm of admin console

‏2007-10-16T09:56:10Z

This is the accepted answer.
This is the accepted answer.

When you build the server from source, the plan file will be generated to configs\webconsole-tomcat\target\plan\plan.xml. This plan file can be edited to change the realm-name from "geronimo-admin" to "my-new-realm" plus other changes to role-mapping and then redeploy applications\console\geronimo-console-ear\target\geronimo-console-ear-2.0.1.ear using this edited plan file.

Re: Changing security realm of admin console

When you build the server from source, the plan file will be generated to configs\webconsole-tomcat\target\plan\plan.xml. This plan file can be edited to change the realm-name from "geronimo-admin" to "my-new-realm" plus other changes to role-mapping and then redeploy applications\console\geronimo-console-ear\target\geronimo-console-ear-2.0.1.ear using this edited plan file.

Re: Changing security realm of admin console

Cool, it works!!
But: when I take the Apache Geronimo source for the console redeploy, the new console is of course the one from Geronimo. Is the source code of WebSphere CE also somewhere available to redeploy the original WAS CE console from IBM?

Re: Changing security realm of admin console

Cool, it works!!
But: when I take the Apache Geronimo source for the console redeploy, the new console is of course the one from Geronimo. Is the source code of WebSphere CE also somewhere available to redeploy the original WAS CE console from IBM?

Re: Changing security realm of admin console

‏2012-03-19T09:33:51Z

This is the accepted answer.
This is the accepted answer.

Hello!

I'm using WAS-CE 3.0.0 and would like to change the security realm (to use with LDAP) of admin console. I successfully deployed realm but I am not able to use it. I tried to redeploy geronimo 3 (I changed the plan.xml), but I can't find geronimo-console-ear file. Is there any other way to secure the admin console?

Re: Changing security realm of admin console

I'm using WAS-CE 3.0.0 and would like to change the security realm (to use with LDAP) of admin console. I successfully deployed realm but I am not able to use it. I tried to redeploy geronimo 3 (I changed the plan.xml), but I can't find geronimo-console-ear file. Is there any other way to secure the admin console?

Thank you very much.
I tried it and I can login but then I get 'HTTP Status 403' error (Access to the specified resource () has been forbidden). Where can I set which roles have access to the admin-console?

I had a similar problem with my own application and I cahnged role mapping (in geronimo-web.xml) to look like this:

Re: Changing security realm of admin console

Thank you very much.
I tried it and I can login but then I get 'HTTP Status 403' error (Access to the specified resource () has been forbidden). Where can I set which roles have access to the admin-console?

I had a similar problem with my own application and I cahnged role mapping (in geronimo-web.xml) to look like this:

My web.xml looks like this:
<display-name>WAServlet</display-name>
<servlet-mapping>
<servlet-name>WAServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>abc</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>LdapRACFRealm</realm-name>
</login-config>
<security-role>
<role-name>abc</role-name>
</security-role>
The login form is displayed and I can login with my user but then I gen the error (HTTP 403). I think that only 'admin' role can access the console (I don't have the 'admin' role in LDAP and I can't change the LDAP).

Re: Changing security realm of admin console

My web.xml looks like this:
<display-name>WAServlet</display-name>
<servlet-mapping>
<servlet-name>WAServlet</servlet-name>
<url-pattern>/*</url-pattern>
</servlet-mapping>
<security-constraint>
<web-resource-collection>
<web-resource-name>Resources</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>abc</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>NONE</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>BASIC</auth-method>
<realm-name>LdapRACFRealm</realm-name>
</login-config>
<security-role>
<role-name>abc</role-name>
</security-role>
The login form is displayed and I can login with my user but then I gen the error (HTTP 403). I think that only 'admin' role can access the console (I don't have the 'admin' role in LDAP and I can't change the LDAP).

My application works fine with my LDAP now. Thank you.
Does anyone know if it is posible to change the 'admin' group to access admin console? Is it posible to access admin console with user from any other group of my LDAP.

Re: Changing security realm of admin console

My application works fine with my LDAP now. Thank you.
Does anyone know if it is posible to change the 'admin' group to access admin console? Is it posible to access admin console with user from any other group of my LDAP.

For the group in admin console, without using ldap, you can add one user through "Users and Groups"-->Create New User in admin console, then add it to the admin group, then you can use it to loggin into admin console.
For the group of ldap,you can add users under ou=users,ou=system to cn=admin,ou=groups,for example,add attribute uniqueMember and the value is uid=test,ou=users,ou=system.
Then you can access admin console using the account: test/password.

Re: Changing security realm of admin console

For the group in admin console, without using ldap, you can add one user through "Users and Groups"-->Create New User in admin console, then add it to the admin group, then you can use it to loggin into admin console.
For the group of ldap,you can add users under ou=users,ou=system to cn=admin,ou=groups,for example,add attribute uniqueMember and the value is uid=test,ou=users,ou=system.
Then you can access admin console using the account: test/password.